There is a network data delivery technology called multicasting that delivers the same data to a number of specified destinations. Today, network environments, typified by the Internet, are widely used and therefore multicasting may require encryption of data before sending. For example, a certain subset of terminals on a network may be specified as a recipient group and data may be encrypted and delivered in such a manner that only the terminals in that recipient group can decrypt it.
Various encryption technologies have been proposed, including one in which a predetermined dealer centrally manages decryption keys, one in which each terminal generates and manages a public key and secret key of a public key cryptosystem, and one in which recipient groups capable of decrypting encrypted data can be dynamically changed. A typical prior-art technology is broadcast encryption described in a document entitled “Broadcast Encryption” (Crypto 93, LNCS, 1993; by Fiat, A. and Naor, M.).
In the Broadcast Encryption, a method is proposed for constructing an encryption key that can only be decrypted by members of a recipient group, which is a given subset of a given user group. In particular, in the proposed method, a threshold for the size of coalition among users is set and a group secret key that can resist coalition up to that size (a group key that cannot be cracked unless that number of users coalesce) is generated. Encrypted data can be decrypted by any single member of the recipient group.
Prior-art encryption technologies of this type, including the above described Broadcast Encryption, in general allow a single terminal belonging to a recipient group to decrypt encrypted data.
Multicasting as described above is required not only in a client-server model in which mostly a server on a network delivers information (contents) to clients but also in a peer-to-peer model which provides the capability of exchanging information between terminals. For example, multicasting may be used when information is exchanged between terminals in a certain group formed on a network. It would be advantageous to have an encryption technology for implementing secure multicasting in such an environment in which encrypted data can be decrypted only by a coalition of all or some of terminals that belong to a group. Known encryption technologies that aim to prevent decryption of encrypted data by a coalition of terminals, as assumed by prior-art technologies such as the broadcast encryption, can be applied to the above described environment.